Proposal Details

go 1.24 added support for managing developer tool dependencies directly in go.mod. while this is a valuable feature, there's room for improvement in dependency management clarity - specifically, there's currently no way to distinguish between indirect dependencies from the project vs from tools.

proposal: extend go.mod format to distinguish tool indirect dependencies with a new comment marker //indirect:tool.

current format:

require github.com/main/dep v1.0.0

tool github.com/dev/tool

require (
    github.com/indirect/dep v1.0.0 // indirect   # source unclear
    github.com/indirect/dep2 v1.0.0 // indirect  # source unclear
)

proposed format:

require github.com/main/dep v1.0.0

tool github.com/dev/tool

require (
    github.com/indirect/dep v1.0.0 // indirect        # from main/dep
    github.com/indirect/dep2 v1.0.0 // indirect:tool  # from dev/tool
)

rationale: since go binaries are statically linked by default, it should be straightforward to audit what code is included in your final binary vs what's just needed for development.

implementation note: for dependencies that are indirect from both project and tools, the standard //indirect marker should be used to avoid duplicating data. this could potentially complicate tool dependency auditing but keeps the file simpler.

q: has this been discussed before? are there alternative approaches worth considering?

Comment From: seankhliao

related #70582

Comment From: gabyhelp

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

Comment From: matloob

I think it might be better to do this using go mod why as suggested in #70582. Adding another value similar to indirect could add clutter to the file. It might still be a good idea, but I think it would make sense to wait and see if addressing #70582 helps enough